Documentation challenges and considerations

  • Keeping security knowledge current within the organization
    • update processes wihtin the organisation
    • updating the champion / org on tech changes, news etc.
      • email-lists
      • special twitter account
      • requirement for centralized task at one of the org-sec-orgs (funding ?)
  • dynamic documentation / organizational ownership of support
  • onboarding process evolving through org sec process
  • How to deliver information - cultural, organizational, and personal preferences (written manuals, FAQs, video tutorials?)
  • Who writes the documentation? use existing docs, write custom ones, work with org to develop docs?

Lessons learned

  • Creating large monolithic documentation that includes the policy and instructions doesn't work. For example, abstract policy documentation (MSCW prioritization method) with recommended tools and links to external howtos (e.g. "use a floss password manager, we recommend keepass" or "dropbox is banned, here is our ownbox"). Updating doc meant updating policy which meant that even small tool changes were comprehensive policy changes. Instead, have things more broken-out.

Good practices

  • find champions to (co-)write tool guides (without tech savvy required) to ground-truth clarity; -> creates ownership, but very small step process
  • creating a centralized documentation system and creating an expectation to use it before seeking support (hosting problems - intranet means difficult external access; external can be bandwidth or security challenges...)
  • Establish / asses in the discovery phase, how an organisation documents own developments / policies etc. or creates knowledge management, what are cultural/regional appropriate documentation formats

Other ideas

  • Peer support "chat" (slack-like, etc.)
  • Video tutorials on single tools

Documentation platforms

  • Wikis (challenge with getting ohers to update) (better interfaces, update alerts?): mediawiki / tikiwiki (heavier, buggy)
  • docs (odt/docx/pdf)
  • intranet hosted pages
  • blogs (resource not dynamic)
  • integrate it part of the already used online structure of the organisation
  • Mobile accessability / usability
  • criteria and considerations
  • easy to maintain / update
  • easy to collaborate in writing
  • easy to link to outside resources / balance between leveraging external maintained documentation and providing tailored guidance
  • easy to access
  • mobile accessability / usability
  • field/remote access

 

In this page: